Web services, or Internet sites, very often provide information, products, services, and the like to their users. But a major concern to users and web services alike has been the security of the Internet, especially when transmitting sensitive information. Information security is often provided to users and/or web services through an encryption process. Encryption involves digitally signing, or encoding, information in such a way that only the person (or computer) with a key can decode it. Digitally signing data is commonly accomplished through the use of Public-key encryption. Public-key encryption uses a combination of a private key and a public key. In public key encryption, a particular originating computer that will transmit information to a remote computer knows both the private key and public key. The originating computer utilizes the public and private keys in a mathematical operation performed on the information to produce an encrypted message. The originating computer also provides the public key to the remote computer, but the private key remains private (i.e., secret) to the originating computer. To decode an encrypted message, the remote computer must use the public key, provided from the originating computer, and its own private key. If the data was modified, or the data was encrypted with a different private key, then the original data and the data calculated by the recipient will be different. This ensures that the data was not modified during transmission and that it originates from the true sender. A popular implementation of public-key encryption is the Secure Sockets Layer (SSL). SSL is an Internet security protocol used by Internet browsers and Servers to transmit sensitive information. SSL recently became part of an overall security protocol known as Transport Layer Security (TLS).
This Public Key Infrastructure (PKI) enables users of an unsecured public network, such as the Internet, to securely and privately exchange data, communication and/or currency over the network. An essential component of PKI is a digital certificate (certificate). The certificate is basically a bit of information that says that a particular computer or web server is trusted by an independent source known as a certificate authority. The certificate authority acts as an intermediary between both computers, and can confirm that each computer is in fact who it claims to be, and notarizes the public keys of each computer to the other. By signing the public key, the certificate authority asserts the identity of the subject/computer, the public key, and characteristics belonging to the subject/computer. The public key mathematically binds the certificate to its bearer, or to be exact, to the bearer's private or secret key. With certificates, it is possible to check the chain of trust that relates to the certificate and the public key, and through the certificate status checking mechanism to make sure the secret known only by the certificate bearer (i.e., private key) has not leaked.
In PKI, the status of certificates should be validated or authenticated before they are used. The status of a particular certificate can be determined by examining a certificate revocation list (CRL) that identifies certificates with a revoked status (i.e., certificates that are no longer trusted). The certificate authority that issues the certificate often publishes CRLs on, for example, a CRL server, and the issued certificate may include data specifying a Uniform Resource Locator (URL) identifying the address of the CRL server on the network. During an authentication process, an authentication server communicates with the CRL server identified by the URL and downloads the CRL to check the revocation status of the certificate.
Revocation status checking is often a client operation. For example, in today's SSL/TLS, clients like home users' machines often check the revocation status of a server's certificate during the SSL negotiation process. Unfortunately, CRL servers can receive a large number of download requests when significant numbers of clients have CRL checking enabled. Under such loads, the CRL server could fail to timely provide the requested CRL information. The failure to respond to a request in a timely manner often results in a network timeout on the client side. Accordingly, a system for validating the certificate revocation status is desired to address one or more of these and other disadvantages.